standard
turbot/aws_compliance

Trigger: Detect & correct Config disabled in regions

Detect Config disabled in regions.

Query

with global_recorders as (
select
count(*) as global_config_recorders
from
aws_config_configuration_recorder
where
recording_group -> 'IncludeGlobalResourceTypes' = 'true'
and recording_group -> 'AllSupported' = 'true'
and status ->> 'Recording' = 'true'
and status ->> 'LastStatus' = 'SUCCESS'
)
select
concat('[', a.account_id, '/', a.name, ']') as title,
a.sp_connection_name as conn,
a.name as region
from
global_recorders as g,
aws_region as a
left join aws_config_configuration_recorder as r on r.account_id = a.account_id
and r.region = a.name
where
a.opt_in_status != 'not-opted-in'
and g.global_config_recorders >= 1
and status is null;

Schedule

15m

Tags

category = Compliance
mod = aws
service = AWS/Config